Migrating to ISO/IEC 27001 ISMS from Cyber Essentials
Cyber EssentialsCyber Essentials comprises five technological controls:
1. A firewall to secure your Internet connection;
2. Secure settings for devices and software;
3. Control over who has access to your data and services;
4. Malware protection; and
5. Patch maintenance.
The Cyber Essentials website provides a clear explanation what what is required for each of these controls and a checklist to assist in checking for conformance. Organisations can self-certification or seek independent hands-on verification of conformance (called “Cyber Essentials Plus”). is a UK Government scheme that helps organisations, especially SMEs (Small and medium sized enterprises), to guard against the most common cyber threats and demonstrate commitment to cybersecurity. The standard is intended to be an affordable and achievable alternativeFor a micro organisation, Cyber Essentials Plus certification costs £300. For a similar sized organisation, ISO/IEC 27006 specifies an initial audit time of 5 days. Plus management fees, the cost of just the initial ISMS certification audit will be in the order of £7,200 making ISMS certification at least 24 times as expensive. to the international standard, ISO/IEC 27001. However, whilst Cyber Essentials provides a useful starting point for cybersecurity defence, it does not offer the ability to adjust and adapt the organisation’s defences to the ever changing threat landscape. Moreover, the scope of ISO/IEC 27001 is much wider, facilitating protection from the loss of confidentiality, integrity, and availability irrespective of the form of information assets or nature of the risk source.
Want to know why?
Continual reassessment of risk
The diagram shows that an ISMS continually cycles through the four phases of establish, implement, maintain and improve. ISO/IEC 27001 (Clause 6.1.2) requires organisations to perform a risk assessment. This is repeated (Clause 8.2) at planned intervals and when significant changes are proposed or occur. Thus, news of a new type of cyber attack or a incident that has befallen another organisation, such as a successful ransomware attack, should trigger a reassessment (which need only take a few minutes). The outcome of such reassessment could simply be “we are safe”; but it could also result in a change to the risk treatment plan (Clause 6.1.3).
Comprehensive, robust risk treatment plans
The risk treatment plan (RTP) specifies the controls necessary to manage risk and how they interact. It will be a mix of organisational, people and physical controls, as well as technological controls. It will also likely be a mix of preventive, detective, and reactive controls. In other words, it prescribes a defence somewhat more comprehensive than the five technological controls specified by Cyber Essentials, and will be more resilient to control failures.
An ISMS is dynamic
A reassessment of risk leading to a change to the RTP alters the defensive position of the organisation to cater for the new situation. Thus, an ISMS is dynamic, self-adjusting to changes in threat.
Migration from Cyber Essentials to a certified ISO/IEC 27001 ISMS is best performed in stages, but, just as an ISMS is hand-crafted to suit an organisation, so the migration strategy must be similarly tailored.
How can I do this?
One approach is to:
- Follow the event-scenario guidance given in BS 7799-3:2017 (“Guidelines for information security risk management”) for the hacking scenario, making sure that you include the five Cyber Essential controls in your RTPAttainment and maintenance of Cyber Essentials certification corresponds to the second cybersecurity profile defined in the UK Government Cybersecurity Standard (DefStan 05-138) for Defence Suppliers.
UK Government guidance correctly points out that ISO/IEC 27001 certification is not a substitute for DefStan 05-138, but nevertheless states:
- ISO/IEC 27001 will assist in achieving elements of requirements within DefStan 05-138.
- A security professional should be able interpret the intention of DefStan 05-138 requirements and identify the controls from other standards that would meet those and address the remaining controls separately.
Indeed, the correct way to view the relationship between ISO/IEC 27001 and DefStan 05-138 is that the latter raises interested party requirements on the former (see ISO/IEC 27001, Clause 4.2 in the circle diagram above). The relationship between Cyber Essentials and ISO/IEC 27001 is no different. Hence the need to include the five Cyber Essential controls in your RTP.
An option during the initial stages of this migration strategy is to include other DefStan 05-138 cybersecurity profiles as interested party requirements. Thus, migration would take on board other DefStan 05-138 cybersecurity profiles as well as moving towards full ISO/IEC 27001 conformity.
- Expand your consideration of event-scenarios to include all of those presented in Table 4 of BS 7799-3.
- Compare the necessary controls that you have determined as a result of considering all the event-scenarios in BS 7799-3, Table 4 with the controls contained in ISO/IEC 27001, Annex A to determine if there you have inadvertently omitted any necessary control.
- Continue to implement each ISO/IEC 27001 requirement until all are fulfilled.
- You should then be ready for ISMS certification.
The essential characteristic of this strategy is that you should be able to terminate the sequence at any stage and still have a positive return on your investment, at least in terms of cybersecurity/information security defence.
How can IMS-Smart help?
IMS-Smart provides expert ISMS consultancy. We have two software-as-a-service offerings and some books, all of which are relevant to Cyber Essentials–to–ISMS migration. We can:
- devise a tailored Cyber Essentials–to–ISMS migration strategy for you;
- guide you through its implementation;
- help you to make strategic and tactical changes, e.g., deciding whether to stop or continue;
- ensure the beneficial reuse of existing policies, procedures and technology;
- prevent the introduction of any undesirable bureaucracy;
- support you in any ISMS certification activity and help ensure that your audits are free from unsafe nonconformitiesA nonconformity is the non-fulfilment of requirement. That requirement can be an ISO/IEC 27001 requirement (Clauses 4—10) or your own organisational requirement. In all cases it should be possible to pin the nonconformity precisely against one or other types of requirement. If this cannot be done, the nonconformity is unsafe and should perhaps be withdrawn or recast as an opportunity for improvement.;
- ultimately help you to extend your ISMS for conformance with other management system standards, such as ISO/IEC 27701 (privacy), ISO 22301 (business continuity) and ISO 9001 (quality), resulting in a truly integrated management system.
We have assisted many organisations to develop their ISMS and have provided training in the UK, Norway, Latvia, Germany, Switzerland, Saudi Arabia, Kuwait, Qatar, Mauritius, India, South Korea and Singapore. The fastest ISMS construction from start to readiness for certification was 7 weeks, but typically training and preparation has ranged between 4 and 6 months.
How can I find out more and obtain a quotation?
Please use our enquiry facility or send us an email to start a conversation. We can continue by telephone or video conferencing. Once we understand your requirements, we will be pleased to prepare a quotation and submit it for your consideration. Hopefully, you will find that it is competitive, and offers quality and value for money.